Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

martin

Re: OpenSSL CVE-2022-3786 and CVE-2022-3602 impact

2022-11-03

Yes, the current version of WinSCP is based on OpenSSL 1.1.1. No version of WinSCP ever used OpenSSL 3.0.

So, no version of WinSCP is vulnerable to CVE-2022-3786 or CVE-2022-3602.

kyle ct

2022-11-01 21:52

Inspecting the Download Source and WinSCP history link, I noted since v5.21.2(2022-08-08) the OpenSSL version was set to 1.1.1q.
libs\openssl\include\openssl\opensslv.h
OpenSSL 1.1.1q 5 Jul 2022

kyle ct

OpenSSL CVE-2022-3786 and CVE-2022-3602 impact

2022-11-01 21:37

Based upon previous posts WinSCP uses OpenSSL for FTP over TLS.
Issue 1151 – OpenSSL vulnerability CVE-2014-0160

Is there any confirmation that OpenSSL versions(3.0.0 – 3.0.6) are not bundled into the current versions? If so, is there an update planned with version 3.0.7?

Post a reply

Topic review

Re: OpenSSL CVE-2022-3786 and CVE-2022-3602 impact

OpenSSL CVE-2022-3786 and CVE-2022-3602 impact

Documentation

Support

Associations

Follow Us